Encryption, generally, is the conversion of data into a form, called a ciphertext or cipher, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the “scrambling” of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals.
Encryption algorithms in use today, such as Ron's Code 4 (“RC4”), Data Encryption Standard (“DES”), Triple DES (“3DES”), and the newly introduced (2000) Advanced Encryption Standard (“AES”), are capable of encrypting and decrypting data based on input (such as a password) entered by a user. For example, a first user (“George”) can encrypt his data using his password, “Cloud9,” while a second user (“Martha”) can encrypt her data differently using his own password, “go2mars.” George and Martha, by using different passwords, are generating different encryption and decryption keys. Martha will not be able to decrypt George's data unless she gets George's decryption key (in this example, his password, Cloud9), and uses the key with the appropriate encryption algorithm (AES), to decrypt George's data.
Encryption algorithms are also capable of “asymmetric encryption” in which two keys can be associated with encrypted data. Data encrypted using the first key can only be decrypted with the second key, and vice-versa. This allows for the generation of public/private key systems. In such a system, a public key may be distributed publicly, which allows anyone to encrypt data using the public key. The private key, however, is the only key that can decrypt the data that was encrypted using the public key. Once again, remember that these systems rely on use of the same encryption algorithm. If a public key is used to encrypt data using one particular encryption algorithm, the private key must be used in conjunction with the same encryption algorithm to decrypt the data.
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of usernames and passwords. Knowledge of a password is assumed to verify the user's identity. Each user registers initially, using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password. Many institutions require a more stringent authentication process than the simple username and password approach. Such processes frequently involve encryption.
Encryption lends itself naturally to authentication, because a device that is able to decrypt a uniquely encrypted message can effectively prove its identity. Many authentication protocols, such as Kerberos, New Technology LanManager (“NTLM”), and the like utilize this feature of encryption for authentication. An authentication protocol is a sequence of steps that are carried out in an authentication. For a detailed explanation of an exemplary authentication protocol, refer to the detailed description section of this document, which describes the popular Kerberos authentication protocol.
On large computer networks, such as the Internet, encryption is an especially valuable tool for authentication because it allows one computer to authenticate another computer without any prior contact between the two computers. Compare this to the situation where a server assigns a username and password to a client. In that scenario, some prior communication may be required so both parties know the username and password, and moreover a server must keep a list of all the client devices, along with the relevant usernames and passwords, that are allowed access to server resources. As networks grow larger, storing this information becomes unruly. Authentication using passwords has at least two additional shortcomings. First of all, it is time-consuming for the user. Secondly, and more importantly, it is insecure when accessing services on a remote machine. For instance, if a user is logged into a first remote machine, and decides to login from there to another remote machine, then the user's password would travel to the second remote machine “in the clear” (unencrypted). Clearly, this is unacceptable.
In contrast, when encryption is used, a client device can obtain an encrypted piece of data from a third party. It can send this data to a server that possesses a decryption key for the data. By demonstrating its ability to decrypt the data, the server can authenticate itself to the client. Similar techniques can be employed to allow the reverse, i.e., allowing the client to authenticate itself to the server. Once again, this process will be explained in greater detail below.
By allowing authentication between computing devices that have not had prior communication, a potential problem of interoperability arises. More specifically, various computing devices may not use the same encryption algorithm. As alluded to above, if a first computer user, George, is using RC4 as an encryption algorithm, and a second computer user, Martha, is using DES, it does not matter that Martha may have the decryption key for data sent from George. The different encryption algorithm will both encrypt and decrypt data differently, so Martha's attempt to decrypt data sent from George will fail because the key types possessed by both sides do not match.
Even when interoperability is possible, the users or administrators of the computing devices may prefer one encryption algorithm over another. Historically, interoperability and/or user preference in encryption algorithms have not raised significant barriers to using encryption for authentication. This may have been in part because MICROSOFT® WINDOWS, a widely used operating system, ships equipped with the RC4 encryption algorithm. However, as encryption becomes more widely used, in the context of authentication and otherwise, emerging encryption algorithms are likely to come into wider use. Namely, at the time of this writing, the AES encryption algorithm has been adopted as the encryption standard for the United States government, and is likely to experience increased use.
To the extent that interoperability and user preference have been addressed, it has been in the form of prior manual notification to relevant computers that a particular server runs a different encryption algorithm than RC4. For example, an administrator might designate a server as “DES only” in an appropriate field of a client computer, allowing that client to later authenticate itself to the server. The server could also be designated “DES only” with an appropriate “ticket granting service,” or server that provides encrypted authentication data to client computers. Both of these techniques are cumbersome and not realistically scalable to widespread use of encrypted data as a means of authentication in computer networks.
In light of the above shortcomings in the art, there exists a heretofore unaddressed need to provide for interoperability and user preference in computing devices that engage in encryption-based authentication protocols.